Experts share their views on vulnerability, impacts and possibilities

Cyber-attacks on PNT Systems–Disturbing evolutions

Guy Buesnel

GNSS signals are very weak when received on the surface of the Earth and that makes them susceptible to a particular set of vulnerabilities – for example, Radio Frequency Interference (RFI), signal spoofing and atmospheric events (scintillation or solar weather). There is a lot of publicity associated with the spread of GPS jamming events around the world – often these events are associated with low cost GPS jammers that are purchased to prevent tracking, whereas GPS spoofing has often been regarded as an exotic, unrealistic attack scenario that would be too expensive and complicated to become a real-world threat

GPS anomalies in the Black Sea

Recent events have shown that spoofing needs to be considered as much, if not more, of a threat as interference. There has (rightly) been a lot of discussion on the recent events that took place in the Black Sea – the US Maritime Administration issued an advisory notice in September containing details on the reported disruption.

GPS Spoofing affects smart phones at a major GNSS conference

The threat posed by GPS spoofing was brought home to delegates at IONs GNSS+ 2017 conference vividly by an incident that took place in the exhibition hall. RF radiation from a piece of GPS test equipment leaked into the hall near a stand, spoofed the date/time and location of numerous cell phones of people who were within range of the signals and rendered some of them inoperable. A number of delegates were unable to recover their phones and were forced to seek further technical help. Whilst the cause of this incident was purely accidental, it highlights the importance of avoiding the generation of spurious over-the-air radio frequency signals and demonstrates the ease with which consumer devices “accepted” the fake GPS signals as authentic – to the detriment of other sensors. Though it is certainly true that in an enclosed, covered exhibition hall, the leaked GPS signals were the only signals available to GPS devices, other sensors should have provided indications that the data being provided by the GPS sensor was conflicting.

This incident took place at a conference where many satellite navigation professionals were present, so the rogue signal was located, isolated and shut-down relatively quickly. Under other circumstances – like a malicious attack indoors – the consequences could be much worse.

Other verified instances of GPS spoofing

There have been some well documented instances of GPS spoofing in the real world that occurred before events in the Black Sea. In October 2016, reports started to surface from Russia that GPS users in the vicinity of the Kremlin found that their devices suddenly showed them to be located almost 20 miles away at Vnukovo airport. There were also reports that GPS users near the centre of St. Petersburg suddenly found that their devices were indicating a location close to Pulkovo airport.

It is speculated that the incidents in the Black Sea, Moscow and St Petersburg are the implementation of a system to prevent drone overflights of sensitive area – but there is no way to confirm this. If these anomalies were caused by some sort of system designed to deter or disrupt drone flights, it is clear that they have caused a significant amount of collateral impact. The events at ION GNSS+ 2017 acted as vivid corroboration that the impact of replica GNSS signals on innocent users can be significant and widespread.

Spoofing GPS Time

In a paper at DEFCON 25 in August, a presentation by ZX Security showed how easy it is to build a low-cost GPS spoofer and use it to generate fake GPS signals in order to time-spoof an NTP server. The cost of the components that ZX Security used was less than $500, and the process of building the spoofer was described as “a party trick; simple and cheap.” The paper went on to demonstrate how a successful spoofing of time to the NTP server could result in the misuse of Time-based One Time Passwords (TOTP) by a hacker. The paper highlighted the particular vulnerabilities of NTP for this type of time spoofing hack and also showed how it could be exploited to generate an incorrect transaction log.

The low cost of building equipment to hack GPS

It is now possible to build a very capable GNSS spoofer based on an SDR for less than $500. Most of the software code needed to programme the SDR to act as a GNSS transmitter is readily available on the internet, making it easy to produce a system capable of disrupting drone flights or to manipulate the operation of cell phones indoors.

Whilst it might be theoretically possible for a determined individual hacker to cause some disruption with a low cost device, the sheer scale of disruption experienced in Russia and the Black Sea region suggests that well organised, well-resourced organisations are much more likely to have been behind these instances of GPS disruption.

Fake GPS signals can cause unpredictable behaviour

Re-transmission of GNSS signals or broadcast of replica or “fake” GNSS signals over the air often causes receivers or systems to become “confused” and start behaving unexpectedly, even if they are not spoofed. Sometimes the affected receiver will not recover when the source of the replica signals is removed – necessitating a hard reset of the affected receiver or system. This accords with many of the symptoms experienced by the delegates at the ION GNSS+ conference who were unlucky enough to have had their personal cell phones affected by the signal leak.

GPS jamming is still a significant risk

There is also a great deal of evidence that GPS jamming or interference can degrade the performance of GPS receivers to the point where misleading information is reported by a device. In a well-reported 2010 trial in the UK’s North Sea (the STAVOG project), it was found that receivers affected by GPS interference can report false positional data without generating any warnings or cautions to the user. However, no incorrect signals were generated during the STAVOG project – it was focused on understanding the impacts of GPS jamming on bridge navigation systems.

The need for risk assessment

Developing and testing spoofing detection and mitigation in GNSS receivers should now become a much higher priority for the industry.

It certainly highlights how important it is to test equipment and systems to understand how they are likely to behave when subject to the re-broadcasting or faking of GPS signals. so that steps can be taken to mitigate. These tests can be extremely difficult to conduct in the real world – the military often conduct such tests on remote test ranges to ensure that civilian users could not be affected. For commercial users, it can be highly problematic to obtain the permissions and sponsorship to carry out testing on a military range. But it is now possible to conduct detailed simulations of jamming and spoofing affects, which allow the effects to be evaluated without needing to generate an over-the-air signal.

The importance of openness in reporting observed vulnerabilities

The reports of GPS disruption in the Black Sea led to a Maritime Alert message by MARAD. This alert message should result in raised awareness of the potential impact of this sort of event in the GPS user community. It demonstrates the benefits of openness in the commercial sector when it comes to reporting GNSS vulnerabilities. Raised awareness of the potential vulnerabilities of GNSS, the need to always “trust but verify” the data it provides, benefits everybody in the whole GNSS value chain—from users to system integrators and developers to manufacturers.

Financial impact of the vulnerabilities of GNSS

Andy Proctor MA, FRIN

There has been a great deal written in this publication about the vulnerabilities of satellites, particularly when providing signals used for Position Navigation and Timing (PNT) applications. The nature of these vulnerabilities has been studied in great detail over many years; receivers, integrated systems, atmospheric effects, multipath, and sources of interference. The impact of 3 or more constellations on being able to provide robust spacebased PNT capabilities is also being studied by researchers and industry, with results showing that Global Navigation Satellite Systems (GNSS) are an essential part of our lives, now and in the future; an invisible utility. There is though a price to pay for this invisible utility, and this article will talk about the scale of the economic scale of our dependency.

The extent of our dependency on GNSS is once again becoming a topic of interest to policy makers, politicians and those charged with the protection of the systems we rely on day-to-day. Policy makers understand that times and technology change, and when the UK government (via the Innovation Agency, InnovateUK and the UK Space Agency) started to look again at our dependencies some 3 years ago, it was clear that that a knowledge refresh and addition of new work was needed. Some of that work is still ongoing but one aspect that had never been studied in the UK before was the financial impact of the vulnerabilities of GNSS and our dependency upon it.

A study, jointly commissioned by InnovateUK, the UK Space Agency and the Royal Institute of Navigation set out to answer the question of how much would the UK be impacted financially by a loss of GNSS. We imagined a number of scenarios where loss of GNSS can have impact, the causes of loss and methodology of how to study this. When study budgets were considered, we set out a scenario that presented a reasonable worst case scenario rather than lots of perhaps more complex events. We also wanted to look at aspects such as the benefit that GNSS brings to the UK and what about the public money invested – has it been a valuable investment, delivering sufficient return to justify continued funding?

The scenario chosen was a 5-day total immediate loss of GNSS, but also that systems and backups function as designed. The 5-day value was chosen as it fit a number of criteria; from the recommendations from the Royal Academy of Engineering Report into GNSS Vulnerabilities from 2011, to align with a number of scenarios in the UK National Risk Assessment and to present a reasonable worst case.

Thus our objectives for the study were set:

▪ Identify the industrial sectors are supported by GNSS in the UK?

▪ Quantify the economic benefit to those sectors of using GNSS?

▪ Estimate the economic impact to the UK of the loss of GNSS?

▪ Identify mitigation techniques are there and their cost?

▪ Assess the impact of UK public funding in the GNSS domain

The contract was managed by a steering board comprising of InnovateUK, UK Space Agency, Satellite Applications Catapult, The Knowledge Transfer Network, the RIN and the Government Office for Science (GO-Science). This brought alignment to GO-Science work on GNSS dependency, the ability to reach out to UK GNSS communities, understanding the economic factors in markets and to facilitate introductions where appropriate. Defence applications were not addressed during the study, to enable it to be published freely.

The methodology of the study was to first perform some secondary research then conduct a number of one to one interviews with stakeholders identified during discussions. These took around 3 months to complete and the quality of the results was greatly enhanced by the willingness of all those who participated to be open and frank with the London Economics (LE) team. The more observant reader will have seen them at the INC16 conference in Glasgow. In the order of 35 people were interviewed from across many areas where GNSS is used in the UK.

In order to understand the benefits and impacts LE designed a logic model to ensure a consistency of approach over each area of work, this is shown in figure 1.

For each case analysed the broad group, application, use and role of GNSS (including any resilience measures) was identified, then a clear understanding of the benefits and socio-economic impacts. These were monetised if possible and the understanding of the impact of the loss was broken down application-byapplication, which were also monetised where possible. This logic model has proven a useful methodology to put structure around this type of analysis.

What then did the study find? We found that the answer to the exam question was £5.2bn of financial impact for a 5-day loss of GNSS. This comprised of £1.7bn in lost GVA and £3.5bn in lost utility benefits. The biggest sector impacted, somewhat unsurprisingly, was the road sector with 37% of this value being taken from the road sector, the majority is in lost utility benefits due to loss of time by the effects on congestion as GNSSdependent drivers lose the ability to optimise their route, spending more time navigating and going back on wrong turns. Together with other effects that consider the impact of slower moving GNSS-dependent drivers on the entire road network (i.e. on all drivers), the impact is large. The fact that smartphones are fast becoming the dominant in vehicle device and some of those can use alternate technologies such as Wi- Fi and Cell-ID was taken into account.

The next largest sector to have a financial impact was the emergency services and justice sector. This comprised mainly of the monetisation of the delays and losses due to public service answering points not having the location of emergency calls and the associated increase in time per call, loss of the fleet management benefits enjoyed by police, ambulance and fire services would also be lost. This would increase the response time and result in significant, detrimental impacts. The maritime transport infrastructure in the UK would be the next largest sector impacted by this 5-day loss. These impacts range from nuisance/ inconvenience brought about by buoys that are no longer synchronised (making navigating a large vessel in narrow shipping lanes more challenging), to severely detrimental effects from the loss of accurate measures of speed and consequent unavailability of accurate time of arrival at ports. The loss of navigation, speed information and AIS would also most likely cause vessels to slow down, reducing the likelihood that they make the designated timeslot. The impact of loss of GNSS would be particularly high in adverse weather conditions with reduced visibility as vessels would need to reduce speed to ensure they remain in shipping lanes and do not run aground.

The study estimates the various impacts on the automotive manufacturing processes and these can be translated through economic models for the other sectors.

The same sectors also show the greatest benefits of using GNSS, unsurprisingly the road sector shows the greatest economic benefit from the use of GNSS.

All of these assessments should be considered a minimum as it was not possible to monetise all of the benefits and GNSS loss impacts and therefore the study makes clear the impacts in practice would be greater.

Several mitigation strategies are discussed in study. The most applicable mitigation strategies for the largest number of applications are eLoran and Satelles Time and Location (STL). These highavailability services could mitigate many of the detriments in the maritime sector, and while the accuracy is insufficient for container stacking and autonomous cranes, the ability to schedule port operations and reduce downtime would help to keep ports open. Omnisense SP500 and Locata may be preferred for localised applications that require high levels of accuracy (e.g. surveying and agriculture). Timing applications were found to be mostly resilient to a five-day outage of GNSS, but could implement eLoran, STL, Locata or freely-available Network Time Protocol (NTP) servers as a source of timing for low accuracy applications. If higher accuracy is required, Precision Time Protocols (PTP) or time-over fibre networks, like NPL-time, are two alternatives.

The public funding aspects in the study could almost be considered a study within a study as it analysed the rationale for public investment, identified the investments made so far, the schemes and what the target of the public investment has been plus compared this against the counterfactual of no public funding.

The reports concludes that there are strong benefits for society, estimated to be between £4 and £5 per £1 of public investment in GNSS. In order to capture these benefits, the UK has made a €1,474m investment in GNSS since 2000. Most of this investment (94%) has occurred through EU channels but €95m has been in the development of new GNSS applications that generate revenue for UK companies, productivity benefits for end-users, and environmental benefits for society. The UK also recently announced a further €30m investment through the European Space Agency Navigation (ESA) Innovation and Support Programme, the majority targeted directly at UK companies to provide help with research and development funding.

In conclusion, a very wide range of economic sectors in the UK rely on GNSS for their daily activities. All critical national infrastructures rely on GNSS to a greater or lesser extent. Communications, emergency services, finance, Government and transport were identified as heavy users of GNSS with the global availability and consistency playing a key role for some. Those critical infrastructures that rely on GNSS have developed over decades to a current situation in which GNSS is an integral source of timing and positioning information, where systems are defined on the basis that GNSS is available.

For professional activities in the UK, GNSS is a primary input for transport (road, air, maritime, and rail) workers, farmers, surveyors and lawyers. Sectors generating 11.3% of UK GDP have been identified as reliant on GNSS to greater or lesser extent, and the primacy of GNSS inputs in critical infrastructures means that a wide range of sectors is underpinned by GNSS.

Outside of professional activities (or in the household sector), GNSS is used for navigation and information gathering for all types of transport (leisure, commuting), and underpins insurance telematics that rewards safe drivers.

This report is the first report to qualify the economic impact to the UK of the loss of GNSS and has been widely shared across government and those sectors impacted the most. The fact that no single mitigation will resolve the issues identified is clear but the extent of properly implemented mitigations could reduce the £5.2bn by as much as 4/5th’s in ideal conditions. We recognise that the study could not address every scenario and some additional areas for study are identified.

What next for this work? The study has been a key input to the Government Office for Science and Cabinet Office Blackett report into the UK functional dependence upon GNSS, and has been used to identify innovations and become a specific area of interest for the current InnovateUK funding round (at time of writing). This means the government has acted directly from the report. The report has also been discussed by the US Government, ESA and the European Commission.

How to be more effective…

John Pottle

Director of the Royal Institute of Navigation, UK.

Good news: Positioning, Navigation and Timing (PNT) systems and applications are getting easier to use with better functionality and performance. However, at the same time “success” in a PNT system is more complex, and certainly more difficult to quantify, than ever before.

To illustrate this, I would like to start relatively recently with the GPS receiver developer at the turn of the century. In those days, success was getting a stable fix and reporting the position as Latitude and Longitude. Perhaps an LCD display was now being driven rather than LED’s of the past. The display interface offered new levels of flexibility with options to render the position in different formats including, for the lucky few, as cross hairs on a line-drawn map outline. Measuring success by these accomplishments seems rather basic and simplistic in comparison to what can be achieved today.

This is clear if we take that same developer, or the next generation of developer perhaps, today. Pick a growing area such as connected autonomous vehicles (CAV); or a mobile device such as a smartphone; or a drone; or even a robotic logistics facility. Let’s look at the PNT aspects from the developer’s perspective.

Position

Each application example above has in common the necessity of a degree of accuracy in position information, often both absolute and relative position. Sometimes the position is indoors in a so-called ‘GNSS-denied environment’, unable to pick up the all-too-weak satellite navigation signals. Often the position needs to be reported very accurately, particularly relative position where collisions need to be avoided, or an accurate landing is required for example. To achieve this, satellite navigation alone is nowadays rarely enough. The days of autonomous GPS are going, going, gone, indeed often gone already. Today’s systems usually take signals from multiple satellite constellations together with a rich cocktail of sensors (see Figure 1), and integrate these together in a sensor fusion engine to provide blended position information. Sophisticated techniques are now routinely used to tune the sensor fusion algorithms for accuracy. For example, most modern smartphones switch sensor fusion algorithms depending on the context. The context is automatically detected using the inertial sensors, sometimes other sensors as well, in the phone. In simple terms, when your device has detected it is in your hand it’s using a different positioning calculation to when it’s in your car to when it’s in your pocket.

Navigation

Until around the turn of the century navigation was normally achieved through plotting positions to enable a route to be followed. But then came more processing power and data storage. This in turn enabled mass-market routing algorithms. Render those on an electronic map or chart and show current and predicted positions and you have the basis of today’s electronic navigation systems. But our imaginary developer has a lot more than that to deal with today – crowd sourced data points, device accuracy that may regularly be more accurate than the underlying map information, assessing the integrity, or trust, in the position information to name but three. At a recent RIN conference, Jeremy Morley, chief geospatial scientist of Ordnance Survey updated us that a connected autonomous vehicle will generate 1 Petabyte (1,000,000,000,000,000 bytes) of information per year from its various sensors and communications interfaces. That’s roughly equivalent to the data storage of 15,000 contemporary smartphones. Of course much of this is filtered and/or dumped rather than stored … yet something else for our developer to deal with.

Timing

This brings us neatly to timing and, more specifically, the precise time that is needed to enable the world’s synchronised and time-stamped communications. GPS offers free access to very precise time. It’s very reliable and works very effectively. However, as is well understood by PNT experts these days, undue reliance has been placed on a satellite navigation system that has inherent vulnerabilities. The likelihood of disruption may be relatively low but if the impact is high to very high then the risk overall is also high. So our developer also has to contend with natural vulnerabilities as well as manmade, be they malicious or unintentional (see Figure 2). The risks need to be identified, assessed, categorised and mitigated in a way that is appropriate for the specific application.

In conclusion, from this brief review of only a couple of example PNT-centric systems and applications, it’s readily apparent that our developer’s life is very complicated. So much so, in fact, that the most successful organisations proactively engage across disciplines and across organisations spanning industry, academia, users and government.